Working with NTFS permissions in PowerShell (Part 2)

In the first part we discussed how NTFS permissions work and we also talked about the components of the security descriptor. In this second part we will show how to apply this in some real life examples.

Adding a user to the ACL of a directory

In this first example we will add a user to the ACL of a directory. Obviously the code below could be written more compactly, but for the purpose of this tutorial it makes more sense to break it down to make it easier to understand.

# Get the ACL of the directory and put it in a variable.
$ACL = Get-Acl -Path C:\SuperSysAdmin

# Create a new object representing the user and put it in a variable.
$NTAccount = New-Object System.Security.Principal.NTAccount("supersysadmin") 

# Define each part of the ACE and put them in a variable.
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute"
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]::"None"
$AccessControlType =[System.Security.AccessControl.AccessControlType]::"Allow"

# Create a new variable containing the above defined variables.
$UserPermissions = $NTAccount,$FileSystemRights,$InheritanceFlags,$PropagationFlags,$AccessControlType

# Create a new object for the FileSystemAccessRule and supply the $UserPermissions variable as the argument.
$AccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $UserPermissions

# Now we call the SetAccessRule method and supply the $AccessRule variable to it.
$ACL.SetAccessRule($AccessRule)

# Finally we apply the ACL again.
$ACL | Set-Acl -Path C:\SuperSysAdmin  

First we get the current ACL of the directory. Then we define the different parts of the new ACE and store them each time in a variable. Finally we bring those variables together, feed them to the SetAccessRule method and then again set the ACL on the directory.

Removing inheritance from a directory

By default any permission that is configured on a directory will be inherited by its children. In some cases you may want to define more strict permissions. As inherited permissions cannot be removed just like that, we first need to break the inheritance.

The inheritance can be manipulated with the SetAccessRuleProtection method. You will need to specify two parameters:

  • isProtected: when set to $true the directory will be “protected” against inheriting permissions from the parent directory. In other words, it will no longer inherit the permissions. When set to $false, the inheritance will remain intact.
  • preserveInheritance: when set to $true, the currently inherited permissions will remain present, but will be converted into explicit permissions. This will make it possible to manipulate these permissions afterwards. When set to $false, all inherited permissions will be removed.
# Get the ACL of the directory and put it in a variable.
$ACL = Get-Acl -Path C:\SuperSysAdmin

# Now we call SetAccessRuleProtection method and set both the isProtected and preserveInheritance parameters to $true.
$ACL.SetAccessRuleProtection($True,$True)

# Finally we apply the ACL again.
Set-Acl -Path C:\SuperSysAdmin -AclObject $ACL

Removing permissions from a directory

In this example we will remove all permissions from a directory, except Administrators and SYSTEM. Obviously, a prerequisite is that the inheritance needs to be removed from the directory first (please review the previous example on how to do that).

# Get the ACL of the directory and put it in a variable.
$ACL = Get-Acl -Path C:\Test

# Get all the ACEs of the directory, filter out Administrators and SYSTEM and then pipe this list to the RemoveAccessRule method.
$ACL.Access | Where-Object -FilterScript {$_.IdentityReference -notlike "*Administrators*" -and $_.IdentityReference -notlike "*SYSTEM*"} | ForEach-Object -Process {$ACL.RemoveAccessRule($_)}

# Finally we apply the ACL again.
Set-Acl -Path C:\Test -AclObject $ACL

 

Leave a Reply

Your email address will not be published. Required fields are marked *